We've integrated the GFS Checkout widget into our store a year ago, and now we have a security issue. When user selects a delivery option from a list, the widget provide us with an option id AND a price, that is send to our own API and saved. The problem is that a hacker could decrease the delivery price value and send this modified value disrupting calculations on our side. We decided to retrieve this price value via Server to Server request, making it secure. Right now we have two ways to retrieve the price of delivery option:
1) Use REST Api as described on the documentation web page (request to connect2.gfsdeliver.com, SESSION GET). The problem is that we have to recreate a session from scratch because SessionID from Widget doesn't work with that rest (is it supposed to work or we have different session ids for gfsdeliver.com and justshoutgfs.com?). When we recreate session from scratch on the server side, we have to supply many parameters when we already send them to the font end, this duplication doesn't feel right for me.
2) Use undocumented rest used by the widget, that way we just repeat the request to rest-checkout.justshoutgfs.com on the server side. We can use the same session id and it looks better, but this API is not documented and could be changed in the future.
What do you think, which way is better?
Thanks in advance!